Fortinet black logo

Handbook

Home FortiADC 7.4.1 Handbook
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Web Application Firewall

Web Application Firewall

The Web Application Firewall menu contain features and configurations that allow you to use web application firewall policies to scan HTTP requests and responses against known attack signatures and methods and filter matching traffic.

This section is organized into the following sub-menu topics:

Web application firewall basics

A web application firewall (WAF) is a security policy enforcement point positioned between a client endpoint and a web application. The primary purpose is to prevent attacks against the web servers. A WAF is deployed separately from the web application so that the process overhead required to perform security scanning can be offloaded from the web server, and policies can be administered from one platform to many servers.

A WAF uses methods that complement perimeter security systems, such as the FortiGate next-generation firewall. The FortiADC WAF module applies a set of policies to HTTP scanpoints, which are parsed contexts of an HTTP transaction.

HTTP scanpoints illustrates the scanpoints. In the WAF policy configurations, you have options to enable rules to detect attacks at the request line, query string, filename, URI, request headers, request body, response code, or response body.

  • Web Attack Signature policy —The signature database includes signatures that can detect known attacks and exploits that can be found in 29 scanpoints. In your policy configuration, you choose classes of scanpoints to process: HTTP Headers, HTTP Request Body, and HTTP Response Body.
  • URL Protection policy — This policy enables you to create rules that detect patterns in the URI or the file extension.
  • HTTP Protocol Constraint policy — This policy enables you to create rules that restrict URI, header, and body length; HTTP method, or HTTP response code.
  • SQL/XSS Injection Detection policy —This policy includes rules to detect SQL/XSS injection in the HTTP Request URI, HTTP Referer Header, HTTP Cookie Header, or HTTP Request Body.
  • Cookie Security policy — This policy enables you to create rules that prevent cookie-based attacks and apply them in a protection profile.
  • Data Leak Prevention policy — This policy enables you to create rules that prevent information leaks, damages and loss.
  • HTTP Header Security policy — This policy enables you to create rules to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.
  • Input Validation Policy — This policy enables you to create rules to prevent suspicious HTTP requests by verifying the user input from scan points like URL parameter, HTML form, hidden fields, and upload file.
  • Brute Force Attack Detection policy — This policy enables you to create rules to prevent too many login tests.
  • Credential Stuffing Defense policy — This policy enables you to create rules to identify login attempts using username and password that have been compromised using an always up-to-date feed of stolen credentials.
  • JSON Detection policy — This policy enables you to create rules that enforce security checks that examine client HTTP requests for anomalies in JSON data in HTTP POST operations.
  • XML Detection policy — This policy enables you to create rules that examine client requests for anomalies in XML code.
  • OpenAPI Detection policy — This policy enables you to create rules through defining a standard, language-agnostic interface to RESTful APIs, which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection.
  • API Gateway policy — This policy includes an API management tool that sits between a client and a collection of backend services. It acts as a reverse proxy to accept all API calls and return the appropriate result.
  • Bot Detection — This policy includes rules to detect Bots. A Bot is an application that runs automated tasks over the Internet. The WAF supports two methods for detecting bad Bots: signature detection and behavior detection. You can also use allowlists to exclude known trusted sources (good Bots) from detection.
  • Threshold Based Detection — This policy enables you to create rules to detect bad bots, such as web crawlers, content scraping, and attack bots.
  • Biometrics Based Detection — This policy enables you to create rules that detect bots using behavioral biometrics such as mouse movement, keyboard, screen touch, and scroll.
  • Advanced Protection policy — This policy enables you to create rules that detect web crawlers and content scraping.
  • CSRF Protection policy — This policy enables you to create rules that protect backend servers from CSRF attacks.

Policy rules are enforced (action taken) when scanning is completed at four checkpoints:

  • HTTP Request Header
  • HTTP Request Body
  • HTTP Response Header
  • HTTP Response Body

If the HTTP Request Header violates a rule, and the action is Deny, the attempted session is dropped and scanning for the transaction stops. If the action is Alert, the event is logged and rules processing continues.

HTTP scanpoints

Number

Attack

Solution
1 SQL Injection

FortiADC Supports it in two ways to prevent the SQL injection attack:

  • Signatures

  • SQL/XSS Injection Detection (Under WAF > Common Attacks Detection)

Enable FortiADC's exclusive SQL/XSS Injection Detection function for XSS attacks prevention .
2 Cross Site Scripting

FortiADC Supports it in two ways to prevent the XSS injection attack.

  • Signatures

  • SQL/XSS Injection Detection (Under WAF > Common Attacks Detection)

Enable FortiADC's exclusive SQL/XSS Injection Detection function for XSS attacks prevention .
3 Parameter/HTTP Tampering

FortiADC Supports it with "request-body-detection" signature profile.

  • If the signature profile was created by being cloned from "High-Level-Security" profile, the "request-body-detection" is enabled already.

  • If the signature profile was created by "Create New", the "request-body-detection" is disabled.

You can enable it through CLI, for example:

config security waf web-attack-signature

edit "Poc_Test"

set request-body-detection enable

next

end
4 Sensitive information It can be protected by configuring the Sensitive Data Type in Data Leak Prevention (DLP) policy.
5 Cross Site Request Forging (CSRF) It can be prevented by configuring “.*” in Parameter Value.
6 Session Hijacking It can be prevented by enabling Cookie Security and configuring Authentication policy.
7 Blind SQL Injection

FortiADC supports it in two ways to prevent the SQL injection attack.

  • Signatures

  • SQL/XSS Injection Detection (Under WAF > Common Attacks Detection)

It's recommended to enable the Exclusive SQL/XSS Injection Detection function for SQL attack prevention.
8 Request Smuggling

FortiADC strictly follows RFC 7230, section 3.3.3. If both Content-Length and Transfer-Encoding HTTP Header exist in the request, Content-Length will be removed. This ensures that the HTTP Request Smuggling attack can be blocked by FortiADC without any additional settings.
9 Web Scraping

FortiADC provides three ways to prevent the Web Scraping attacks.

  • WAF Signatures

  • Content Detection (Under WAF > Threshold Based Detection)

  • Content Scraping (Under WAF > Common Attacks Detection > Advance Protection)

Web application firewall configuration overview

WAF configuration overview shows the relationship between WAF configuration elements. A WAF profile comprises a Web Attack Signature policy, URL Protection policy, HTTP Protocol Constraint policy, SQL/XSS Injection Detection, Bot Detection policy, and more. The profile is applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules. WAF profiles can be applied to HTTP and HTTPS virtual servers but not HTTP Turbo virtual servers.

WAF configuration overview

Predefined configuration elements

The FortiADC WAF includes many predefined configuration elements to help you get started: WAF profiles, Web Attack Signature policies, HTTP Protocol Constraint policies, SQL/XSS Injection Detection policies, JSON Detection and XML Detection.

Severity

The severity ratings for predefined Web Attack Signatures and the default severity rating for feature options like SQL/XSS Injection Detection are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. In order to harmonize the significance of severity levels in logs, we recommend you use this methodology to assign severity for any custom elements you create.

Action

You can create an action which FortiADC takes when the conditions are fulfilled for WAF.

Basic Steps
  1. Create configuration objects that define the action.
  2. Select this action to a WAF rule configuration.

Exceptions

You can create exceptions so that traffic to specific hosts or URL patterns is not subject to processing by WAF rules. Exception lists are processed before traffic is inspected. If an exception applies, the traffic bypasses the WAF module.

Basic Steps

  1. Create configuration objects that define the exception.
  2. Add the exception to a WAF profile configuration or WAF rule configuration.
Previous
Next

Web Application Firewall

The Web Application Firewall menu contain features and configurations that allow you to use web application firewall policies to scan HTTP requests and responses against known attack signatures and methods and filter matching traffic.

This section is organized into the following sub-menu topics:

Web application firewall basics

A web application firewall (WAF) is a security policy enforcement point positioned between a client endpoint and a web application. The primary purpose is to prevent attacks against the web servers. A WAF is deployed separately from the web application so that the process overhead required to perform security scanning can be offloaded from the web server, and policies can be administered from one platform to many servers.

A WAF uses methods that complement perimeter security systems, such as the FortiGate next-generation firewall. The FortiADC WAF module applies a set of policies to HTTP scanpoints, which are parsed contexts of an HTTP transaction.

HTTP scanpoints illustrates the scanpoints. In the WAF policy configurations, you have options to enable rules to detect attacks at the request line, query string, filename, URI, request headers, request body, response code, or response body.

  • Web Attack Signature policy —The signature database includes signatures that can detect known attacks and exploits that can be found in 29 scanpoints. In your policy configuration, you choose classes of scanpoints to process: HTTP Headers, HTTP Request Body, and HTTP Response Body.
  • URL Protection policy — This policy enables you to create rules that detect patterns in the URI or the file extension.
  • HTTP Protocol Constraint policy — This policy enables you to create rules that restrict URI, header, and body length; HTTP method, or HTTP response code.
  • SQL/XSS Injection Detection policy —This policy includes rules to detect SQL/XSS injection in the HTTP Request URI, HTTP Referer Header, HTTP Cookie Header, or HTTP Request Body.
  • Cookie Security policy — This policy enables you to create rules that prevent cookie-based attacks and apply them in a protection profile.
  • Data Leak Prevention policy — This policy enables you to create rules that prevent information leaks, damages and loss.
  • HTTP Header Security policy — This policy enables you to create rules to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.
  • Input Validation Policy — This policy enables you to create rules to prevent suspicious HTTP requests by verifying the user input from scan points like URL parameter, HTML form, hidden fields, and upload file.
  • Brute Force Attack Detection policy — This policy enables you to create rules to prevent too many login tests.
  • Credential Stuffing Defense policy — This policy enables you to create rules to identify login attempts using username and password that have been compromised using an always up-to-date feed of stolen credentials.
  • JSON Detection policy — This policy enables you to create rules that enforce security checks that examine client HTTP requests for anomalies in JSON data in HTTP POST operations.
  • XML Detection policy — This policy enables you to create rules that examine client requests for anomalies in XML code.
  • OpenAPI Detection policy — This policy enables you to create rules through defining a standard, language-agnostic interface to RESTful APIs, which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection.
  • API Gateway policy — This policy includes an API management tool that sits between a client and a collection of backend services. It acts as a reverse proxy to accept all API calls and return the appropriate result.
  • Bot Detection — This policy includes rules to detect Bots. A Bot is an application that runs automated tasks over the Internet. The WAF supports two methods for detecting bad Bots: signature detection and behavior detection. You can also use allowlists to exclude known trusted sources (good Bots) from detection.
  • Threshold Based Detection — This policy enables you to create rules to detect bad bots, such as web crawlers, content scraping, and attack bots.
  • Biometrics Based Detection — This policy enables you to create rules that detect bots using behavioral biometrics such as mouse movement, keyboard, screen touch, and scroll.
  • Advanced Protection policy — This policy enables you to create rules that detect web crawlers and content scraping.
  • CSRF Protection policy — This policy enables you to create rules that protect backend servers from CSRF attacks.

Policy rules are enforced (action taken) when scanning is completed at four checkpoints:

  • HTTP Request Header
  • HTTP Request Body
  • HTTP Response Header
  • HTTP Response Body

If the HTTP Request Header violates a rule, and the action is Deny, the attempted session is dropped and scanning for the transaction stops. If the action is Alert, the event is logged and rules processing continues.

HTTP scanpoints

Number

Attack

Solution
1 SQL Injection

FortiADC Supports it in two ways to prevent the SQL injection attack:

  • Signatures

  • SQL/XSS Injection Detection (Under WAF > Common Attacks Detection)

Enable FortiADC's exclusive SQL/XSS Injection Detection function for XSS attacks prevention .
2 Cross Site Scripting

FortiADC Supports it in two ways to prevent the XSS injection attack.

  • Signatures

  • SQL/XSS Injection Detection (Under WAF > Common Attacks Detection)

Enable FortiADC's exclusive SQL/XSS Injection Detection function for XSS attacks prevention .
3 Parameter/HTTP Tampering

FortiADC Supports it with "request-body-detection" signature profile.

  • If the signature profile was created by being cloned from "High-Level-Security" profile, the "request-body-detection" is enabled already.

  • If the signature profile was created by "Create New", the "request-body-detection" is disabled.

You can enable it through CLI, for example:

config security waf web-attack-signature

edit "Poc_Test"

set request-body-detection enable

next

end
4 Sensitive information It can be protected by configuring the Sensitive Data Type in Data Leak Prevention (DLP) policy.
5 Cross Site Request Forging (CSRF) It can be prevented by configuring “.*” in Parameter Value.
6 Session Hijacking It can be prevented by enabling Cookie Security and configuring Authentication policy.
7 Blind SQL Injection

FortiADC supports it in two ways to prevent the SQL injection attack.

  • Signatures

  • SQL/XSS Injection Detection (Under WAF > Common Attacks Detection)

It's recommended to enable the Exclusive SQL/XSS Injection Detection function for SQL attack prevention.
8 Request Smuggling

FortiADC strictly follows RFC 7230, section 3.3.3. If both Content-Length and Transfer-Encoding HTTP Header exist in the request, Content-Length will be removed. This ensures that the HTTP Request Smuggling attack can be blocked by FortiADC without any additional settings.
9 Web Scraping

FortiADC provides three ways to prevent the Web Scraping attacks.

  • WAF Signatures

  • Content Detection (Under WAF > Threshold Based Detection)

  • Content Scraping (Under WAF > Common Attacks Detection > Advance Protection)

Web application firewall configuration overview

WAF configuration overview shows the relationship between WAF configuration elements. A WAF profile comprises a Web Attack Signature policy, URL Protection policy, HTTP Protocol Constraint policy, SQL/XSS Injection Detection, Bot Detection policy, and more. The profile is applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules. WAF profiles can be applied to HTTP and HTTPS virtual servers but not HTTP Turbo virtual servers.

WAF configuration overview

Predefined configuration elements

The FortiADC WAF includes many predefined configuration elements to help you get started: WAF profiles, Web Attack Signature policies, HTTP Protocol Constraint policies, SQL/XSS Injection Detection policies, JSON Detection and XML Detection.

Severity

The severity ratings for predefined Web Attack Signatures and the default severity rating for feature options like SQL/XSS Injection Detection are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. In order to harmonize the significance of severity levels in logs, we recommend you use this methodology to assign severity for any custom elements you create.

Action

You can create an action which FortiADC takes when the conditions are fulfilled for WAF.

Basic Steps
  1. Create configuration objects that define the action.
  2. Select this action to a WAF rule configuration.

Exceptions

You can create exceptions so that traffic to specific hosts or URL patterns is not subject to processing by WAF rules. Exception lists are processed before traffic is inspected. If an exception applies, the traffic bypasses the WAF module.

Basic Steps

  1. Create configuration objects that define the exception.
  2. Add the exception to a WAF profile configuration or WAF rule configuration.
Previous
Next